Different companies in scope ISO 27001

1 - I have some questions regarding ISO 27001- ISMS scope and organizational units. We are implementing the documentation in two of our companies (same corporate group). The whole Company X is within the scope but only the compliance office in Company Y. We include them both in the scope. Is this correct or do we have two sets of documentation? We are using the same equipment and facility at the moment.

If I understood correctly, you have two legally separated companies using the same equipment and facility at this moment.

Considering that, first you need to align with your certification body the possibility to have a single scope for two legally separated companies.

In case this is acceptable by the certification body, you can have a single set of documents, but please note that when you start using different equipment and facility you will need to review the documents.

2 - I also have a question regarding Risk assessment table. To be compliant with the ISO standard- should we change the risks in the risk assessment after the risk treatment? For example, if risk X has been reduced due to implementation of a policy, should we change the risk from e.g., 3 to 2 in the risk assessment? Or should we not change the risks after treatment at all?

 Risks identified during risk assessment must not be changed after risk treatment. What happens is that, after risk treatment, you need to assess the residual risk, i.e., the risk value after the applied treatment.

This article will provide you with further explanation about residual risks:

• Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/